fcksecurity wrote: Currently attacks occurs using a vulnerabiliy in a vulnerable FCKEditor version of filemanager, as shipped with some ColdFusion servers: http://isc.sans.org/diary.html?storyid=6715
The vulnerability is about sending a PHP file (as test.php) BUT using a ZIP header as the beginning of the file to bypass the security check, and after put the PHP (or ASP, CFM) code in the file. In this case, the PHP (or ASP, CFM) is evaluated on the server.
wiktor wrote:Please use the contact form to send us a message about discovered vulnerabilites. Whenever security issues are fixed, they are mentioned here: http://www.fckeditor.net/whatsnew.
wiktor wrote:The problem is in the application that is distributed with FCKeditor with file browser being enabled by default. We can't do much with that. If you download FCKeditor from our website, the file browser is disabled, you should read configuration file carefully and enable it only to authenticated users.
The vulnerability is about sending a PHP file (as test.php) BUT using a ZIP header as the beginning of the file to bypass the security check, and after put the PHP (or ASP, CFM) code in the file. In this case, the PHP (or ASP, CFM) is evaluated on the server.
This is yet another example of vulnerability introduced in another application. FCKeditor does not try to detect the mime type of a file, the extension check is based on the file name (extension).
- Is it possible to restrict using internal FCKeditor command access to the filemanager connector, instead of disable it for the moment ?
Yes, open fckeditor\editor\filemanager\connectors\config.ext and make sure that enabled is set to true only for users that should have access to it.
Of the steps outlined by alfonsoml, our setup already follows 1-5 however we have not yet upgraded to 2.6.4.1. We are currently running 2.6.4.
That being the case, does the security issue still exist if the file browser is enabled in config.ext yet LinkUpload, ImageUpload and FlashUpload are all disabled in fckconfig.js?
An attacker won't care about your fckconfig.js, that's just client side code to hide the browse or upload buttons so your users don't have bad expectations, it isn't related to the security at all. They will go directly against your connector, and if you have left it enabled for everyone, then you are running a high risk.
Re: FCKEditor and current vulnerability exploited in the Wild
http://www.fckeditor.net/whatsnew
Wiktor Walc
CTO, CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Re: FCKEditor and current vulnerability exploited in the Wild
http://www.ocert.org/advisories/ocert-2009-007.htmlhttp://www.fckeditor.net/whatsnew
Re: FCKEditor and current vulnerability exploited in the Wild
must
Remove any unused files and scripts.
you must verify that the connector is enabled only for those user that must have access to it
allowed and denied extensions
this script for CKFinder
Re: FCKEditor and current vulnerability exploited in the Wild
That being the case, does the security issue still exist if the file browser is enabled in config.ext yet LinkUpload, ImageUpload and FlashUpload are all disabled in fckconfig.js?
Thanks
Re: FCKEditor and current vulnerability exploited in the Wild
They will go directly against your connector, and if you have left it enabled for everyone, then you are running a high risk.